Cryptographic Keys both for data “at Rest” and “in Motion” (together with paired digital certificates) own proper life cycle by which manage these, logically not correlated with technology (i.e. cypher algorithm) and scope (rest, motion).
Key Management: Operations
The Key Management is composed by many operations, belonging to three different categories: Generation, Recovery, Disposal. The operations are briefly listed here:
1. Generation: key spawning by the means of combination and elaboration of casual information available on system (e,g, log entry, keyboard input, etc); CSR (Certificate Sign Request) adding, if it is the case (only for “in Motion”)
a. Back-Up: saving the key on external, off-line media, different from server on which uses it
b. Distribution: sharing the key and configuring for use
c. Usage: using the keys in normal ways; monitoring accesses to crypto systems and performance review
2. Recovery (only for “at Rest”): dealing access requests to data encyphered by the means of an old key (archived but not deleted)
a. Revocation: declaring a key as “not more in use”, following a key substitution
b. Archive: archiving the key, holding for further recovery (only for “at Rest”)
3. Disposal: deleting the key; no more recovery could be performed
Key Management: Tools
Only previously authorized tools should be used for key management (Generation, Hold, Back-Up, etc). At least 2 tools should be in place, for asymmetric and symmetric keys, respectively:
· key-mgmt: device intended for key generation, holding, archiving. It is used for generating private keys and issuing the sign requests. It acts as an archive for storing all the keys: privaate ones and symmetrical ones
· key-srv: device intended for symmetric key generation and usage. It performs data enciphering and de-cyphering (“Data at Rest”)
In order to guarantee needed security level, special care should be paied to these tools, belonging to the Cryptographic Operation Area, characterized by the following:
· Protected Physical Area
· Access Control
· Security Monitoring